Setup RANCID and ViewVC (Part One)

KB ID 0001331

Problem

There are couple of good posts out there on setting up Rancid (Really Awesome New Cisco Config Differ). Some even show you how to set it up with ViewVC (Formally ViewVCS, basically a nice web based GUI front end, that does version control and highlights differences). It does this using a system called CVS (Concurrent Version System, hence the original name.)

Then I had to do some more searching to get it to back up my Cisco ASA firewalls and get the whole thing automated, which Ill cover in Part Two.

OS: CentOS 7 x64

Rancid: 3.4.1

ViewVC: 1.1.24

Solution

Once it’s built, let’s update our server;

[box]

yum upgrade
yum update
Answer any questions with 'y' for yes.

[/box]

Lets install all the components we need;

[box]

yum install nano wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs rcs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl MySQL-python

[/box]

We only need a simple web server, so set the firewall accordingly (I’m opening http (TCP 80) and https (TCP 443) but we will only configure http in this example);

[box]

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

[/box]

We have already installed Apache (web server), so we need to start it up, then set it to ‘auto-start’ with the server. Then create a group, and a user (rancid), and place that user in the group we created. Finally create a directory for us to ‘unzip’ rancid into.

[box]

systemctl enable httpd.service
systemctl start httpd.service
groupadd netadm
useradd -g netadm -c "Networking Backups" -d /home/rancid rancid
mkdir /home/rancid/tar

[/box]

Move into the directory, we just created then download RANCID, unzip it, then install it.

[box]

cd /home/rancid/tar/
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.4.1.tar.gz
tar -zxvf rancid-3.4.1.tar.gz
cd rancid-3.4.1
./configure --prefix=/usr/local/rancid
make install

[/box]

Copy over the ‘clogin’ file, (more on this later). Then set the ownership and and permissions on the rancid files and directories.

[box]

cp cloginrc.sample /home/rancid/.cloginrc
chmod 0640 /home/rancid/.cloginrc
chown -R rancid:netadm /home/rancid/.cloginrc
chown -R rancid:netadm /usr/local/rancid/
chmod 775 /usr/local/rancid/

[/box]

Now to set the ‘top level’ groups. Above I’ve got Firewalls and Switches, you might want to create a group for each customer you are backing up, or each site. (the design is up to you), but these are the ‘folder names’ you will see when you first log into the ViewVC web front end. Next you need to edit the main Rancid configuration file;

[box]

nano /usr/local/rancid/etc/rancid.conf

[/box]

Uncomment and add your groups, i.e.
LIST_OF_GROUPS=”Firewalls Switches

Save and Exit the file, (in nano that’s CTRL+X, then Y to save, and finally {Enter}.) Now we need to change to the rancid user we created earlier, (remembering to swap back to ‘root’ afterwards). We do this to create the folder structure for the groups we just created. Most importantly this creates the router.db file(s) which lives in each group/folder. This file specifies what the devices are, and where they are, that you will be backing up.

[box]

su -rancid

Or 'su rancid' if you are logged in as root

/usr/local/rancid/bin/rancid-cvs
su

[/box]

Download and install ViewVC.

[box]

cd /home/rancid/tar/
wget http://viewvc.tigris.org/files/documents/3330/49471/viewvc-1.1.24.tar.gz
tar -zxvf viewvc-1.1.24.tar.gz
cd viewvc-1.1.24
./viewvc-install

[/box]

Open the ViewVC config file;

 

[box]

nano /usr/local/viewvc-1.1.24/viewvc.conf

[/box]

Uncomment and change the values, (as shown above).

root_parents = /usr/local/rancid/var/CVS : cvs
rcs_dir = /usr/local/bin
use_rcsparse = 1

Now to enable ViewVC to work with Apache, we need to copy over some CGI, and set some permissions.

[box]

cp /usr/local/viewvc-1.1.24/bin/cgi/*.cgi /var/www/cgi-bin
chmod +x /var/www/cgi-bin/*.cgi
chown apache:apache /var/www/cgi-bin/*.cgi

[/box]

Then in the Apache config file, scroll to the end and add the following text, (don’t forget to save and exit the file).

[box]

nano /etc/httpd/conf/httpd.conf

Paste the following (at the bottom)

# Custom Rancid Config

<VirtualHost>
        DocumentRoot /var/www
        ScriptAlias /cgi-bin/ "/var/www/cgi-bin"
        ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
        ScriptAlias /query /var/www/cgi-bin/query.cgi
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>

[/box]

We already installed MariaDB, (similar to MySQL) earlier, we just need to start it up, then set it to auto start with the server. Out of the box, MariaDB is a little insecure, so there’s a process of hardening it called ‘mysql_secure_installation’.

Note: the first time you run the secure installation it will ask for a password, this is the root password for MariaDB NOT the Linux root password, this will be {blank} so just hit {Enter}, then Yes to set the password, and set the MySQL/MariaDB root password (NEVER LOSE OR FORGET THIS). You will need it in a minute anyway, for all the other questions simply press {Enter} to accept the defaults.

[box]

systemctl enable mariadb
systemctl start mariadb
sudo mysql_secure_installation

[/box]

Now that MariaDB is installed, we need to create a user in SQL that ViewVC will use, to do that we need to log into SQL using the root password you just setup.

[box]

mysql -u root -p
Enter your SQL root password
CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY ‘Password123’;
GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit

[/box]

Note: sometime it does not like you copying and pasting the first ‘CREATE USER…’ line, (I don’t know why.) If it complains, type it out manually!

Now that is set up we can get ViewVC to create its database.

[box]

cd /usr/local/viewvc-1.1.24/bin
./make-database

[/box]

Use the following settings when prompted;

MySQL Hostname (leave blank for default):{Enter}

MySQL Port (leave blank for default):{Enter}

MySQL User: VIEWVC

MySQL Password: Password123

ViewVC Database Name [default: ViewVC]:{Enter}

Then, (the same as you did earlier,) create another user in MariaDB, that will be a ‘read-only’ user.

[box]

mysql -u root -p
Enter your SQL root password
CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY ‘Password456’;
GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit

[/box]

Edit the ViewVC configuration so that it uses all the parameters you have setup;

[box]

nano /usr/local/viewvc-1.1.24/viewvc.conf

[/box]

 

Un

Scroll down to the [csvdb] section, then uncomment and change the values shown (above,) so that look like.

enabled = 1
host = localhost
port = 3306
database_name = ViewVC
user = VIEWVC
passwd = Password123
readonly_user = VIEWVCRO
readonly_passwd = Password456

Then get ViewVC to ‘rebuild’ the database .

[box]

/usr/local/viewvc-1.1.24/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/

[/box]

Reboot the server, and if you browse to http://{ip-or-hostname}/viewvc you should see something like this;

 

In Part Two we will add some Cisco Devices (Switches and ASA Firewalls) and schedule the backups.

Related Articles, References, Credits, or External Links

NA

CentOS 7 – Serving HTTPS with Apache2

KB ID 0001210  

Problem 

This week I’ve been working on changing the site over to https. Buying a digital certificate used to be an expensive long winded affair, but not anymore. A quick internet search turned up a 3 year SSL certificate for less than 15 quid.

Getting the certificate was the easy bit, getting it installed so that Apache would use it was another ‘challenge’. On a scale of one to ten, I’m about a three (on a good day) with Linux!

Before you start, you need to generate a CSR and send that to whoever you are going to buy your cert from

Linux (CentOS 7) Generating CSR (Certificate Signing Requests)

What about free Certs? There are some firms that offer free certs, some require you to install software that updates the cert every ninety days, other have a short lifespan. I’m not usually one to spend any money but for a fiver a year, why not?

Solution

Your certificate vendor will sent you your certificate, it will probably come with at least one other cert. In my case it came with three other CA Certs (a RootCA and two Intermediate CA Certs). If you are unfamiliar with certificates, here’s the two golden certificate rules;

  • You MUST trust the authority (CA), that issued the certificate, or issued the cert to the CA that issued the cert etc.
  • The NAME on the certificate, either the Common Name (CN), or the Subject Alternative Name (SAN). MUST match the address you are going to.

What you will find with these <ahem> cheaper certificates, is that you trust a CA, and that CA issues another CA Certificate, (to a subordinate CA), that Issues another CA Certificate (To a Subordinate CA), and that CA issues your certificate. All these certificates form a ‘chain’ and it looks like this;

OK why is that important? Well to trust your certificate, your visitors, (and Apache) need to be able to see all the certificates in this chain, right back to the RootCA certificate at the top (which they will trust, or there’s not much point selling them!)

Some vendors will give you a certificate bundle, mine did not so I had to make one (this is not hard to do, see below). But now when you make that certificate bundle, you will have a better understanding of what you are doing, (putting all the CA certs in the chain order, into one file).

Installing SSL Certificates Into Apache

Before you start you may need to install mod_ssl ‘yum install mod_ssl’ will do that 🙂

First you need to copy all the files into CentOS, I created a folder in ‘/etc/ssl/’ called ‘localcertificates’ and copied in the domain cert, the key file (that got generated when I made the CSR – See the link above). And I’ve copied in all the CA Certificates. (I use FileZilla to do this because it’s free, and easy to use).

Now Log into your CentOS server via SSH and navigate to this directory, then use the ‘CAT’ command to make a certificate bundle with all your CA Certificates, (notice the order, SubCA2 > SubCA1 > RootCA). Note: Your certificates will probably have different names.

[box]

cd /etc/ssl/localcerts
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > My-CA.ca-bundle

[/box]

Now in the same directory you will have another file called My-CA.ca-bundle. To get Apache to use the certificates you need to edit the httpd.conf  file. In CentOS 7 that usually lives in ‘/etc/httpd/conf’. I use nano because it’s easier to edit files with,  (yum install nano). Im also going to back-up the config up as well, in case something goes wrong!

[box]

cd /etc/httpd/conf 
cp httpd.conf httpd.conf-old 
nano httpd.conf

[/box]

Locate the part of the file that says ‘Listen *.80’ and place a line below it that says ‘Listen *.443’.

Scroll to the end of the file and paste in the following, (change the filenames to match your own).

[box]

<VirtualHost *:443>     
     SSLEngine On
     SSLCertificateFile /etc/ssl/localcerts/your-file.crt
     SSLCertificateKeyFile /etc/ssl/localcerts/your-file.key
     SSLCertificateChainFile/etc/ssl/localcerts/My-CA.ca-bundle

     ServerAdmin admin@your-domain.com
     ServerName www.your-site.com
     DocumentRoot /var/www/html
     ErrorLog /var/www/logs/error.log
     CustomLog /var/www/logs/access.log combined
</VirtualHost>

[/box]

Note: Make Sure the Logs folder exists in /var/www if you use the same paths as me! Also SSLCertificateChainFile will change in newer versions of Apache to SSLCACertificatePath.

You can now restart Apache and browse to https://www.your-site.com. It can take a little while before it’s back up!

[box]

apachectl restart
apachectl status

[/box]

Everything’s Broken Help!!

This is why we backed up the config, first if there’s a problem ‘apache status’ usually says ‘theres a problem on line XYZ of the httpd.conf file’, if you open it in a text editor that will point you to a resolution. If all else fails, you can restore the original config like so;

[box]

cd /etc/httpd/conf 
cp httpd.conf-old httpd.conf
apachectl start
apachectl status

[/box]

How To Redirect All HTTP Traffic to HTTPS in Apache?

That’s even easier, if you have a virtual host for poor 80 already setup in https.conf then just add ‘ Redirect / https://www.your-site.com/’ to it. I did not, but adding one did not break/affect my site at all. After the text you pasted in above for the  virtualhost for SSL just paste in a new one for http (TCP port 80).

[box]

<VirtualHost *:80>     
  ServerName www.your-site.com
  DocumentRoot /var/www/html
  ErrorLog /var/www/logs/error80.log
  CustomLog /var/www/logs/access80.log combined

  Redirect / https://www.your-site.com/
</VirtualHost>

[/box]

 

Related Articles, References, Credits, or External Links

NA

Can I delete _vti_inf.html and the _vti folders?

KB ID 0000742 

Problem

I was doing some site tidying this week, usually If I don’t know what something is I leave it alone, but I was on a mission! I had a bunch of files/folders in the root of my website, that, a) I didn’t know what they were doing, and b) wanted to delete.

File: _vti_inf
Folders: _private, _vti_bin, _vti_cnf, _vti_log, vti_pvt, _vti_txt

Solution

As it turns out these folders are needed for FrontPage and FrontPage Extensions. I CAN simply delete them, but since my web host provides me with cPanel access to the website, I can simply disable the extensions there, and this removes all the junk for me. (I don’t intend to use FrontPage).

1. Log into cPanel, locate FrontPage Extensions.

2. Uninstall Extensions.

3. You should see something similar.

4. Now we are a bit less cluttered.

Related Articles, References, Credits, or External Links

NA

RSS Error – Your feed appears to be encoded as “UTF8”, but your server is reporting “US-ASCII”

KB ID 0000889 

Problem

I don’t validate and check the sites RSS feed as often as I should, but post server migration I got this error;

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
Your feed appears to be encoded as “UTF8”, but your sever is reporting “US-ASCII”

Solution

As you can see by the section I’ve indicated above, I can see where the UTF-8 is being set on the page. I just need my server (CentOS with Apache2) to allow it.

1. Edit (or create a file in the same directory as the RSS XML file) .htaccess and add the following lines to the end.

[box]

# Add the UTF-8 Character Set
AddCharset UTF-8 .xml

[/box]

2. The restart Apache.

[box]

service https restart

[/box]

Related Articles, References, Credits, or External Links

NA

Google Analytics – Redundant Hostnames

(Redirecting non www URL’s to www URL’s)

KB ID 0001016 

Problem

I noticed this a while back, apparently Google Analytics started flagging this for many users on October 14th 2014. But I’ve only just got round to sorting it out.

If you are seeing this error its because your site is ‘addressable’ in more than one way, in my case you could get to me via http://petenetlive and http://www.petenetlive.com. I could have registered both in ‘Google Webmaster Tools’, and set one as a preferred site, but I didn’t want to update my Analytics code (I’ve got custom stuff in there I don’t want to re-write). So my next option is to do a ‘301 redirect’.

Solution

1. I use Apache web server, and I have my own VPS, so I can pretty much do what I want, If you side is hosted you may need to ask them to ensure that the rewrite_module is loaded on your web server. If you have your own you will need to take a look at your httpd.conf file.

2. Make sure that (like below), there is a line that is not commented out, that reads;

[box]LoadModule rewrite_module modules/mod_rewrite,so[/box]

3. Now in the root of your website edit (or create) the .htaccess file. And pate the following onto the end of it, (change accordingly);

[box]RewriteEngine On
RewriteCond %{HTTP_HOST} ^petenetlive.com
RewriteRule (.*) http://www.petenetlive.com/$1 [R=301,L][/box]

4. Save and upload the file (If using Notepad, make sure it does not put a .txt extension on the end of the filename – it should have NO extension).

5. Now go to http://your-website.com, (It will probably still work because your browser will attempt to load the page from its cache, so press CTRL+F5 to force refresh). If should redirect to http://www/your-website.com

6. To make doubly sure you can go here and type in http://your-website.com it should say something like;

HTTP/1.1 301 Moved Permanently
Date => Thu, 04 Dec 2014 19:41:48 GMT
Server => Apache/2.2.15 (CentOS)
Location => http://www.petenetlive.com/
Vary => Accept-Encoding
Content-Type => text/html; charset=iso-8859-1

<

7. Back in Google Analytics, select ‘Check again’.

5. It should say this.

6. Then it will say this ‘for ages!’.

 

Related Articles, References, Credits, or External Links

NA

Linux – Enable PHP Short Tags

KB ID 0000886 

Problem

I have a particular web page that uses PHP short tags. Post migration from my old hosting company to a dedicated VPS, this stopped working.

As I know little about Linux, and even less about PHP, I asked the question at Experts Exchange about why It was no longer working. I took no time at all, for someone who knew what they were doing to say, “Your code uses ‘Short tags’, but you do not have short tags enabled”

Solution

How To Enable PHP Short Tags From .htaccess

This would be your approach if you were on a hosted web server, and could not access the servers PHP configuration. In the ‘Root’ of your website should be a file called .htaccess you can simply edit this with any text editor (but make sure it does not save with a file extension!).

Add the following lines to the end;

[box]php_value short_open_tag 1
php_value asp_tags 1[/box]

How to Enable Short Tags in PHP

1. Connect to the server via SSH, (or open a terminal session). The file you need to edit is called php.ini. This server is running CentOS, so you should find that file in the /etc/ folder.

2. By default the line you are looking for is 229 (press CTRL+C to show position). Locate the short_open_tag = Off line.

3. Change the entry to ‘On’, and save the changes (CTRL+X and ‘Y’ to save).

4. Restart the web server.

[box]
service httpd restart[/box]

Related Articles, References, Credits, or External Links

NA

Apache Web Server – Change the Default Page

KB ID 0000882 

Problem

Out of the box, Apache expects your website homepage to be called index, on this site the homepage is called home, here’s how to change it.

Solution

1. Connect to the server via SSH, (or open a terminal session). The file you need to edit is called httpd.conf. This server is running CentOS, so you should find that file in the /etc/httpd/conf folder.

2. I’m going to edit it with nano.

3. Locate the DirectoryIndex section and remove index and any other unwanted filename (i.e. in this example index.var).

4. Add in the one you require and save and exit, (press CTRL+X and Y to save).

5. You nee to restart Apache for the change to take effect.

[box] apachectl -k restart[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Apache is Ignoring the .htaccess file

KB ID 0000890

Problem

The .htaccess file is a file that lives in a directory on a web server. Its job is to provide ‘settings’ that would normally be set in the servers httpd.conf file. You can put a .htaccess file in any directory to control the settings for that directory, (providing .htaccess override has been allowed).

After having some problems the other day, I made a change to mine, then reliased the change was not applying.

Solution

1. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.

2. Change to the directory that the httpd.conf file is in, (usually the /etc/httpd/conf/httpd.conf directory).

[box] cd /etc/httpd/conf/httpd.conf [/box]

3. First let’s check that the config, has been set to recognise .htaccess as the AccessFileName.

[box] grep -i AccessFileName httpd.conf [/box]

4. Then the server needs to actually allow the overide (this was my problem). The following will show you all instances of AllowOverride, make sure you check them all.

[box] grep -i AllowOverride httpd.conf [/box]

5. To edit the file and change the approriate settings from None to All.

6. Then restart the the web server.

[box] service httpd restart [/box]

 

Related Articles, References, Credits, or External Links

NA